Trustwave Blog

Perspective:

Q&A: How Security Professionals are Dealing with Web, Email and Social Threats

Malware is, indeed, everywhere. Osterman Research Inc. recently conducted a survey on web, email and social media security, which polled security decision makers on malicious threats using these channels to attack businesses. We decided to work some of the results from that survey, which Trustwave sponsored, into a stylish and handy new infographic, titled "Malware Everywhere," which we published yesterday.

Today, we are pleased to present a Q&A with Michael Osterman, principal of Osterman Research. He is an independent analyst and an expert in content security. We asked him to lend his valuable insight and make sense of the survey findings, putting into context why organizations seem to be making little to no progress on stymieing malware and data loss across the web, email and social media.

Osterman also describes what sorts of technologies and delivery models businesses should now be embracing to fight these emerging and targeted threats in real time, how security practitioners can no longer can say "no" to social media, and why Bill Gates' prediction on the end of spam likely will never come true. Osterman also suggests best practices for companies that want to stop throwing valuable resources and manpower at these pain points, and dedicate more of their IT efforts at business enablement.

Trustwave: Hi Michael. Thanks for taking time to chat. So, the survey you just conducted dives into a number of specific areas, but let me start with the gist: The ability of organizations to handle spam, malware and web-based threats is not getting much better. Why is this?

Michael Osterman: The biggest reason that things are not improving is that cybercrime is a moving target, and a well-funded one at that. Individuals and companies are in possession of valuable data that bad guys want to acquire. Cybercriminals have well-funded operations that are able to refine their hacking attempts, their phishing attempts, their spear-phishing attempts, etc. As a result, they're able to become better over time. The fact that most organizations are not seeing improvements is evidence that they're simply able to keep up with bad guys, but are not yet getting the upper hand.

TW: Specific to spam, experts have credited the general slowdown in unsolicited email to better filtering technology, botnet takedowns and more profitable ways for cybercriminals to make money. Yet, according to the survey, security practitioners aren't seeing much improvement, if any. Will, as Bill Gates predicted a long time ago, spam ever be conquered?

MO: The second question first: No. We will always have some level of spam because it's still effective at separating some people from their money. Not as effective as phishing attempts, perhaps, but effective nonetheless. With regard to the general slowdown in spam, there have been some major takedowns and filtering technology is getting better. But there's still the human element that will motivate some people to click on a spam message because they like the offer with which they're presented or they're curious.

TW: What's the bigger concern businesses are facing: malware coming in at the hands of attackers or sensitive data being leaked out - either mistakenly or maliciously - by employees? In other words, as you see it, which is more troubling: the external or internal threat?

MO: That's a tough question to answer because it depends on a number of factors, but generally the insider threat is the more serious risk because employees are assumed to be inherently trustworthy. Any organization could have its own version of Edward Snowden waiting in the wings to steal intellectual property, pass along trade secrets to competitors, capture large amounts of information that might be useful if they are moving to a new job, or something else. Employees will rarely be questioned if they plug a USB drive into their computer, if they use a hosting service to upload corporate files, or if they use their own computer while working from home.

That said, businesses need to protect themselves from the external threat, as well. Keystroke loggers and other forms of malware, not to mention hacking, have resulted in the loss of millions of dollars from bank accounts - particularly in smaller businesses - and so decision makers need to guard against that threat, as well.

TW: Your research discovered that many security professionals still aren't sold on the legitimacy of social media applications, yet it's increasingly harder - if not impossible - to justify blocking them. How should security be approached when it comes to sites like Twitter, Facebook and LinkedIn?

MO: Decision makers need to accept the fact that social media offers tremendous benefits, and so instead of blocking the use of these tools, they should embrace them and protect against their illegitimate use. That means allow the use of Facebook for information sharing, but not Farmville. Allow the use of Twitter, but scan the URLs that are included in tweets. Social media needs to be managed just like any other business communication tool.

TW: According to the survey, the top concern from security professionals seems to be the possibility of malware being introduced via an employee's web surfing. Isn't preventing this as easy as instructing employees to avoid offensive sites, or simply restricting access to these sites - and the problem would be solved?

MO: That used to be the case, but no more. Completely legitimate sites can become infected with malware, and so doing nothing more than visiting one of these sites can infect an entire organization with malware. By all means, employees should be instructed not to visit gambling, porn or other sites that have no legitimate business value - and access to these sites should be blocked by using the appropriate web filtering technology - but the right technologies need to be implemented that will guard against the threat from legitimate web surfing, as well.

TW: So when it comes to all of these threats, the survey shows that IT departments are spending a disproportionate amount of time responding. I'd assume they could be doing more business-enabling things during that time?

MO: Absolutely correct! While some amount of IT time needs to be spent managing security, the goal should be to minimize this time investment so that IT can work on things that will provide more value to their employer. When it comes right down to it, even though security is an incredibly valuable component and needs to be funded at the appropriate level in any organization, it does nothing to improve the business or make it more competitive. Valuable IT people should spend as much of their time as possible on those activities that will enable competitive advantage, improve employee productivity or otherwise enable the business to do bigger and better things.

TW: OK, so let's talk fixes. Mainstay technologies like anti-virus and firewalls have been around forever, it seems, but the problems are worsening. Do organizations need to consider other, more advanced solutions? And what about training employees to be more security conscious?

MO: We recommend starting with employees as the first line of defense by training them on an ongoing basis. They're the ones that can thwart some attacks by not responding to phishing attempts in email, that can avoid clicking on short URLs in tweets, or that can simply not click on questionable links in Facebook. However, solutions need to be put in place that will protect all of the venues from which malware and other bad stuff might enter, and will protect the organization from data leaks and the like. That means robust defenses against traditional threat sources like email, but also good web defenses, solutions that will scan incoming social media content, solutions that will scan content coming in from cloud storage systems, that will scan smartphones, etc. Essentially, businesses need to protect every ingress and egress point that represents a threat for malware incursion or data leakage.

TW: Finally, considering the time suck that these threats bring, should organizations consider offloading some or all of this responsibility to companies that specialize in security? If so, what are the benefits of this model?

MO: Most definitely! Security vendors should be viewed as partners in the battle against malware, hacking attempts, phishing attempts, etc., and at least some of the responsibility for corporate defense should be offloaded to them. For example, we have recommended for years that businesses should use cloud-based filtering to prevent as much spam and malware from reaching the corporate network as possible. That will not only reduce the amount of bad stuff hitting the network, but it will allow on-premises systems to do the "heavy lifting" of deep content inspection and other CPU-intensive activities.

Michael Osterman is the principal of Osterman Research, Inc., founded in 2001.Since that time, the company has become one of the leading analyst firms in the messaging and collaboration space.